* BC Warning: Fixed `https_proxy` env var falling back to `http_proxy`'s value. The fallback and warning have now been removed per the 2.7.3 release notes (#11938, #11915)
* Added `--patch-only` flag to the `update` command to restrict updates to patch versions and make an update of all deps safer (#12122)
* Added `--abandoned` flag to the `audit` command to configure how abandoned packages should be treated, overriding the `audit.abandoned` config setting (#12091)
* Added `--ignore-severity` flag to the `audit` command to ignore one or more advisory severities (#12132)
* Added `--bump-after-update` flag to the `update` command to run bump after the update is done (#11942)
* Added a way to control which `scripts` receive additional CLI arguments and where they appear in the command, see [the docs](https://getcomposer.org/doc/articles/scripts.md#controlling-additional-arguments) (#12086)
* Added `allow-missing-requirements` config setting to skip the error when the lock file is not fulfilling the composer.json's dependencies (#11966)
* Added a JSON schema for the composer.lock file (#12123)
* Added better support for Bitbucket app passwords when cloning repos / installing from source (#12103)
* Added `--type` flag to filter packages by type(s) in the `reinstall` command (#12114)
* Added `--strict-ambiguous` flag to the `dump-autoload` command to make it return with an error code if duplicate classes are found (#12119)
* Added warning in `dump-autoload` when vendor files have been deleted (#12139)
* Added warnings for each missing platform package when running `create-project` to avoid having to run it again and again (#12120)
* Added sorting of packages in allow-plugins when `sort-packages` is enabled (#11348)
* Added suggestion of provider packages / polyfills when an ext or lib package is missing (#12113)
* Improved interactive package update selection by first outputting all packages and their possible updates (#11990)
* Improved dependency resolution failure output by sorting the output in a deterministic and (often) more logical way (#12111)
* Fixed PHP 8.4 deprecation warnings about `E_STRICT` (#12116)
* Fixed `init` command to validate the given license identifier (#12115)
* Fixed version guessing to be more deterministic on feature branches if it appears that it could come from either of two mainline branches (#12129)
* Fixed COMPOSER_ROOT_VERSION env var handling to treat 1.2 the same as 1.2.x-dev and not 1.2.0 (#12109)
* Fixed require command skipping new stability flags from the lock file, causing invalid lock file diffs (#12112)
* Fixed php://stdin potentially being open several times when running Composer programmatically (#12107)
* Fixed handling of platform packages in why-not command and partial updates (#12110)
* Reverted "Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#12019)" from 2.7.8 as it was broken
* Fixed regression (`Call to undefined method ProxyManager::needsTransitionWarning()`) with projects requiring composer/composer in an pre-2.7.3 version (#11943, #11940)
* BC Warning: Fixed `https_proxy` env var falling back to `http_proxy`'s value, this is still in place but with a warning for now, and https_proxy can now be set empty to remove the fallback. Composer 2.8.0 will remove the fallback so make sure you heed the warnings (#11915)
* Fixed `show` and `outdated` commands to remove leading `v` in e.g. `v1.2.3` when showing lists of packages (#11925)
* Fixed `audit` command not showing any id when no CVE is present, the advisory ID is now shown (#11892)
* Fixed the warning about a missing default version showing for packages with `project` type as those are typically not versioned and do not have cyclic dependencies (#11885)
* Fixed PHP 8.4 deprecation warnings
* Fixed `clear-cache` command to respect the config.cache-dir setting from the local composer.json (#11921)
* Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
* Changed the default of the `audit.abandoned` config setting to `fail`, set it to `report` or `ignore` if you do not want this, or set it via `COMPOSER_AUDIT_ABANDONED` env var (#11643)
* Added --minimal-changes (-m) flag to `update`/`require`/`remove` commands to perform partial update with --with-dependencies while changing only what is absolutely necessary in transitive dependencies (#11665)
* Added --sort-by-age (-A) flag to `outdated`/`show` commands to allow sorting by and displaying the release date (most outdated first) (#11762)
* Added support for `--self` combined with `--installed` or `--locked` in `show` command, to add the root package to the package list being output (#11785)
* Added severity information to `audit` command output (#11702)
* Added `scripts-aliases` top level key in composer.json to define aliases for custom scripts you defined (#11666)
* Added IPv4 fallback on connection timeout, as well as a `COMPOSER_IPRESOLVE` env var to force IPv4 or IPv6, set it to `4` or `6` (#11791)
* Added support for wildcards in `outdated`'s --ignore arg (#11831)
* Added support for `bump` command bumping `*` to `>=current version` (#11694)
* Added detection of constraints that cannot possibly match anything to `validate` command (#11829)
* Added package source information to the output of `install` when running in very verbose (-vv) mode (#11763)
* Added audit of Composer's own bundled dependencies in `diagnose` command (#11761)
* Added GitHub token expiration date to `diagnose` command output (#11688)
* Added non-zero status code to why/why-not commands (#11796)
* Added error when calling `show --direct <package>` with an indirect/transitive dependency (#11728)
* Added `COMPOSER_FUND=0` env var to hide calls for funding (#11779)
* Fixed `bump` command not bumping packages required with a `v` prefix (#11764)
* Fixed automatic disabling of plugins when running non-interactive as root
* Fixed `update --lock` not keeping the dist reference/url/checksum pinned (#11787)
* Fixed `require` command crashing at the end if no lock file is present (#11814)
* Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
* Added audit.abandoned config setting. Can be set to `ignore`, `report` (current default) or `fail` (future default in 2.7) to make the audit command report abandoned packages as a security problem (#11639)
* Added a warning when duplicates `files` autoload rules are detected (#11109)
* Reverted "Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent (#11562)" which caused a regression (#11617)
* Fixed non-zero exit code on failed audits to only apply to `install --audit` runs and not implicit audits with `require`, `create-project` or `update` commands (#11616)
* Fixed `create-project` infinite post-install loop in some circumstances (#11613)
* Fixed `install` exit code to be non-zero (5) if a requested security audit failed (#11362)
* ~~Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent (#11562)~~ (Reverted in 2.6.2)
* ~~Fixed executability of non-php binaries which are not marked executable (#11557)~~ (Reverted in 2.6.1)
* BC Warning: Installers and `InstallationManager::getInstallPath` will now return `null` instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455)
* Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
* Fixed lock file verification on `install` to deal better with `replace`/`provide` (#11475)
* Fixed lock file having a more recent modification time than the vendor dir when `require` guesses the constraint after resolution (#11405)
* Fixed numeric default branches with a `v` prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755a08)
* Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
* Fixed support for plugin classes being marked as `readonly` (#11404)
* Fixed `getmypid` being required as it is not always available (#11401)
* Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
* BC Warning: To prevent abuse of our includeFile() function it is now gone, it was not part of the official API but may still cause issues if some code incorrectly relied on it (#11015)
* Improved version guessing of `require` command to use the dependency resolution result instead of using the latest available version (except if you run with --no-update) (#11160)
* Improved version selection in `archive` command (#11230)
* Added autocompletion of config option names in the `config` command (#11130)
* Added support for writing [custom commands as Command classes](https://getcomposer.org/doc/articles/scripts.md#writing-custom-commands) (#11151)
* Added hard failure when installing from a lock file which does not satisfy the composer.json requirements (#11195)
* Added warning when the outdated command rejects a new package due to unmet platform requirements (#11113)
* Added support for `bump` command to bump `>=x` to `>=installed-version` (#11179)
* Added `--download-only` flag to `install` command to only download and prime the cache with the package archives (#11041)
* Added autoconfiguration of `github-domains`/`gitlab-domains` when GitHub/GitLab credentials are configured for a custom domain (#11062)
* Added hard failure (throw) if COMPOSER_AUTH is present and malformed JSON (#11085)
* Added interactive prompt to `run-script` and `exec` commands if run without any argument (#11157)
* Added interactive prompt where to store credentials when a project-local auth.json exists (#11188)
* Fixed full disk warning to be shown when less than 100MiB is available (#11190)
* Fixed cache keys to allow `_` to avoid conflicts between package names like `a-b` and `a_b` (#11229)
* Fixed docker compatibility by making paths more portable even if the project is installed at `/` (#11169)
* Fixed bash completion hanging when running as root without `COMPOSER_ALLOW_SUPERUSER` set (#11024)
* Fixed handling of plugin activation when running as root without `COMPOSER_ALLOW_SUPERUSER` set so it always happens after prompting, or does not happen if input is non-interactive
* Added bash completions for Composer commands, package names, etc (see [how to setup](https://getcomposer.org/doc/03-cli.md#bash-completions)) (#10320)
* Added `bump` command to bump requirements to the currently installed version (#10829)
* Added `audit` command to check for known security vulnerabilities in installed packages (#10798, #10898)
* Added automatic auditing of security vulnerabilities after `update` is done, can be overridden with `--no-audit` (#10798, #10898)
* Added `--audit` to `install` command to also do an audit (#10798, #10898)
* Added `r` alias to `require` command (#10953)
* Added `composer/class-map-generator` dependency to replace `Composer\Autoload\ClassMapGenerator` which is now deprecated (#10885)
* Added `--locked` to `depends`/`prohibits` commands (#10834)
* Added `--strict-psr` flag to `dump-autoload` command to fail the process if PSR violations were detected, useful for CI (#10886)
* Added `COMPOSER_PREFER_STABLE` and `COMPOSER_PREFER_LOWEST` env vars to turn on `--prefer-stable`/`--prefer-lowest` on `update` and `require` command, useful for CI (#10919)
* Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
* Added `--major-only` flag to the `outdated` command to show only packages with major version updates (#10827)
* Added sections for direct and transitive deps in `outdated` command output (#10779)
* Added ability for cache GC to clean up `vcs` and `repo` caches (#10826)
* Added `--gc` flag to `clear-cache` to only trigger a garbage collection instead of clearing everything (#10826)
* Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
* Added prompt suggesting using `--dev` when requiring packages with `dev`/`testing`/`static analysis` keywords present (#10960)
* Added warning in `require`, `init` and `create-project` commands when the latest version of a package cannot be used due to platform requirements (#10896)
* Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
* Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
* Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
* Fixed support for disable_functions containing disk_free_space (#10936)
* Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)
* BC Break: the minimum PHP version is now 7.2.5+, use the [Composer 2.2 LTS](https://github.com/composer/composer/issues/10340) if you are stuck with an older PHP (#10343)
* BC Break: added native parameter & return types to many internal APIs, we explicitly left the most extended/implemented symbols untouched but if this causes problems nonetheless please report it ASAP (#10547, #10561)
* BC Break: added visibility to all constants, a few internal ones have been made private/protected, if this causes problems please report it ASAP (#10550)
* BC Break: the minimum supported Symfony components version is now 5.4, this only affects you if you are requiring composer/composer directly however, which is generally frowned upon
* Bumped `composer-plugin-api` to `2.3.0`
* Bumped bundled Symfony components from 2.8 to 5.4 🥳
* Added `declare(strict_types=1)` to all the classes, which for sure could cause regressions in edge cases, please report with stack traces (#10567)
* Added `--patch-only` to the `outdated` command to only show updates to patch versions and ignore new major/minor versions (#10589)
* Added clickable links to various commands for terminals which support it (#10430)
* Added ProcessExecutor ability to receive commands as arrays by (internals/plugin change only) (#10435)
* Added abandoned flag to `show`/`outdated` commands JSON-formatted output (#10485)
* Added config.reference option to `path` repositories to configure the way the reference is generated, and possibly reduce composer.lock conflicts (#10488)
* Added automatic removal of allow-plugins rules when removing a plugin via the `remove` command (#10615)
* Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
* Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
* Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
* Fixed support for disable_functions containing disk_free_space (#10936)
* Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)
* Fixed regression with plugins that modify install path of packages, [see docs](https://getcomposer.org/doc/articles/plugins.md#plugin-modifies-install-path) if you are authoring such a plugin (#10621)
* BC Break: due to an oversight, the `COMPOSER_BIN_DIR` env var for binaries added in Composer 2.2.2 had to be renamed to `COMPOSER_RUNTIME_BIN_DIR` (#10512)
* Fixed enum parsing in classmap generation with syntax like `enum foo:string` without space after `:` (#10498)
* Fixed package search not urlencoding the input (#10500)
* Fixed `reinstall` command not firing `pre-install-cmd`/`post-install-cmd` events (#10514)
* Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#10482)
* Fixed test suite compatibility with latest symfony/console releases (#10499)
* Fixed some error reporting edge cases (#10484, #10451, #10493)
* Added [`COMPOSER_BIN_DIR` env var and `_composer_bin_dir` global](https://getcomposer.org/doc/articles/vendor-binaries.md#finding-the-composer-bin-dir-from-a-binary) containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with `$BASH_SOURCES[0]` will need to update their binaries (#10402)
* Fixed issue when new binary proxies are combined with PHPUnit and process isolation (#10387)
* Fixed deprecation warnings when using Symfony 5.4+ and requiring composer/composer itself (#10404)
* Bumped `composer-runtime-api` and `composer-plugin-api` to `2.2.0`
* UX Change: Added [`allow-plugins`](https://getcomposer.org/doc/06-config.md#allow-plugins) config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
* Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
* Added a [global $_composer_autoload_path variable](https://getcomposer.org/doc/articles/vendor-binaries.md#finding-the-composer-autoloader-from-a-binary) containing the path to autoload.php for binaries (#10137)
* Added wildcard support to --ignore-platform-req (e.g. `ext-*`) (#10083)
* Added support for ignoring the upper bound of platform requirements using "name+" notation e.g. using `--ignore-platform-req=php+` would allow installing a package requiring `php: 8.0.*` on PHP 8.1, but not on PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
* Added support for setting platform packages to false in config.platform to disable/hide them (#10308)
* Added [`use-parent-dir`](https://getcomposer.org/doc/06-config.md#use-parent-dir) option to configure the prompt for using composer.json in upper directory when none is present in current dir (#10307)
* Added [`composer` platform package](https://getcomposer.org/doc/articles/composer-platform-dependencies.md) which is always the exact version of Composer running unlike `composer-*-api` packages (#10313)
* Added a --source flag to `config` command to show where config values are loaded from (#10129)
* Added support for `files` autoloaders in the runtime scripts/plugins contexts (#10065)
* Added retry behavior on certain http status and curl error codes (#10162)
* Added abandoned flag display in search command output
* Added support for --ignore-platform-reqs in `outdated` command (#10293)
* Added --only-vendor (-O) flag to `search` command to search (and return) vendor names (#10336)
* Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
* Fixed `archive` command to behave more like git archive, gitignore/hgignore are not taken into account anymore, and gitattributes support was improved (#10309)
* Fixed unlocking of replacers when a replaced package is unlocked (#10280)
* Fixed auto-unlocked path repo packages also unlocking their transitive deps when -w/-W is used (#10157)
* Fixed handling of recursive package links (e.g. requiring or replacing oneself)
* Fixed env var reads to check $_SERVER and $_ENV before getenv for broader ecosystem compatibility (#10218)
* Fixed `archive` command to produce archives with files sorted by name (#10274)
* Fixed VcsRepository issues where server failure could cause missing tags/branches (#10319)
* Fixed some error reporting issues (#10283, #10339)
* Removed `symfony/console ^6` support as we cannot be compatible until Composer 2.3.0 is released. If you have issues with Composer required as a dependency + Symfony make sure you stay on Symfony 5.4 for now. (#10321)
* Added many type annotations internally, which may have an effect on CI/static analysis for people using Composer as a dependency. This work will continue in following releases
* Fixed regression in 2.1.6 when parsing classmaps with empty heredocs (#10067)
* Fixed regression in 2.1.6 where list command was not showing plugin commands (#10075)
* Fixed issue handling package updates where the package type changed (#10076)
* Fixed docker being detected as WSL when run inside WSL (#10094)
* Fixed more PHP 8.1 deprecation warnings (#10036, #10038, #10061)
* Fixed corrupted zips in the cache from blocking installs until a cache clear, the bad archives are now deleted automatically on first failure (#10028)
* Fixed URL sanitizer handling of new github tokens (#10048)
* Fixed issue finding classes with very long heredocs in classmap autoload (#10050)
* Fixed proc_open being required for simple installs from zip, as well as diagnose (#9253)
* Fixed path repository bug causing symlinks to be left behind after a package is uninstalled (#10023)
* Fixed issue in 7-zip support on windows with certain archives (#10058)
* Fixed bootstrapping process to avoid loading the composer.json and plugins until necessary, speeding things up slightly (#10064)
* Fixed lib-openssl detection on FreeBSD (#10046)
* Fixed support for `ircs://` protocol for support.irc composer.json entries
* Added `--dev` to `dump-autoload` command to allow force-dumping dev autoload rules even if dev requirements are not present (#9946)
* Fixed `--no-scripts` disabling events for plugins too instead of only disabling script handlers, using `--no-plugins` is the way to disable plugins (#9942)
* Fixed handling of deletions during package installs on some filesystems (#9945, #9947)
* Fixed undefined array access when using "@php <absolutepath>" in a script handler (#9943)
* Fixed usage of InstalledVersions when loaded from composer/composer installed as a dependency and runtime Composer is v1 (#9937)
* Bumped `composer-runtime-api` and `composer-plugin-api` to `2.1.0`
* UX Change: The default install method for packages is now always dist/zip, even for dev packages, added `--prefer-install=auto` if you want the old behavior (#9603)
* UX Change: Packages from `path` repositories which are symlinked in the vendor dir will always be updated in partial updates to avoid mistakes when the original composer.json changes but the symlinked package is not explicitly updated (#9765)
* Added `reinstall` command that takes one or more package names, including wildcard (`*`) support, and removes then reinstalls them in the exact same version they had (#9915)
* Added support for parallel package installs on Windows via [7-Zip](https://www.7-zip.org/) if it is installed (#9875)
* Added `InstalledVersions::getInstalledPackagesByType(string $type)` to retrieve installed plugins for example, [read more](https://getcomposer.org/doc/07-runtime.md#knowing-which-packages-of-a-given-type-are-installed) (#9699)
* Added `InstalledVersions::getInstalledPath(string $packageName)` to retrieve the install path of a given package, [read more](https://getcomposer.org/doc/07-runtime.md#knowing-the-path-in-which-a-package-is-installed) (#9699)
* Added flag to `InstalledVersions::isInstalled()` to allow excluding dev requirements from that check (#9682)
* Added support for PHP 8.1 enums in autoloader / classmap generation (#9670)
* Added support for using `@php binary-name foo` in scripts to refer to a binary without using its full path, but forcing to use the same PHP version as Composer used (#9726)
* Added `--format=json` support to the `fund` command (#9678)
* Added `--format=json` support to the `search` command (#9747)
* Added `COMPOSER_DEV_MODE` env var definition within the run-script command for compatibility (#9793)
* Added async uninstall of packages (#9618)
* Added color legend to `outdated` and `show --latest` commands (#9716)
* Added `secure-svn-domains` config option to mark secure svn:// hostnames and suppress warnings without disabling secure-http (#9872)
* Added `gitlab-protocol` config option to allow forcing `git` or `http` URLs for all gitlab repos loaded inline, instead of the default of git for private and http for public (#9401)
* Added generation of autoload rules in `init` command (#9829)
* Added source/dist validation in `validate` command
* Added automatic detection of WSL when generating binaries and use `bin-compat:full` implicitly (#9855)
* Added automatic detection of the --no-dev state for `dump-autoload` based on the last install run (#9714)
* Added warning/prompt to `require` command if requiring a package that already exists in require-dev or vice versa (#9542)
* Added information about package conflicts in the `why`/`why-not` commands (#9693)
* Removed version argument from `why` command as it was not needed (#9729)
* Fixed `why-not` command to always require a specific version as it is useless without (#9729)
* Fixed cache dir on macOS to follow OS guidelines, it is now in ~/Library/Caches/composer (#9898)
* Fixed composer.json JSON schema to avoid having name/description required by default (#9912)
* Fixed support for running inside WSL paths from a Windows PHP/Composer (#9861)
* Fixed InstalledVersions to include the original doc blocks when installed from a Composer phar file
* Fixed `require` command to use `*` as constraint for extensions bundled with PHP instead of duplicating the PHP constraint (#9483)
* Fixed `search` output to be aligned and avoid wrapped long lines to be more readable (#9455)
* Error output improvements for many cases (#9876, #9837, #9928, and some smaller improvements)
* Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)
* Fixed install step at the end of the init command to take new dependencies into account correctly
* Fixed `update --lock` listing updates which were not really happening (#9812)
* Fixed support for --no-dev combined with --locked in outdated and show commands (#9788)
* Reverted "Fixed runtime autoloader registration (for plugins and script handlers) to prefer the project dependencies over the bundled Composer ones" as it caused more problems than expected
* Added COMPOSER_MAX_PARALLEL_HTTP to let people set a lower amount of parallel requests if needed
* Fixed autoloader registration when plugins are loaded, which may impact plugins relying on this bug (if you use `symfony/flex` make sure you upgrade it to 1.12.2+ to fix `dump-env` issues)
* Fixed `exec` command suppressing output in some circumstances
* Fixed Windows/cmd.exe support for script handlers defined as `path/to/foo`, which are now rewritten internally to `path\to\foo` when needed
* Fixed bin handling on Windows for PHP scripts, to more closely match symlinks and allow `@php vendor/bin/foo` to work cross-platform
* Fixed Git for Windows/Git Bash not being detected correctly as an interactive shell (regression since 2.0.7)
* Fixed regression handling some private Bitbucket repository clones
* Fixed Ctrl-C/SIGINT handling during downloads to correctly abort as soon as possible
* Fixed runtime autoloader registration (for plugins and script handlers) to prefer the project dependencies over the bundled Composer ones
* Fixed numeric default branches being aliased as 9999999-dev internally. This alias now only applies to default branches being non-numeric (e.g. `dev-main`)
* Disabled platform-check verification of extensions by default (now defaulting `php-only`), set platform-check to `true` if you want a complete check
* Improved platform-check handling of issue reporting
* Fixed platform-check to only check non-dev requires even if require-dev dependencies are installed
* Fixed issues dealing with custom installers which return trailing slashes in getInstallPath (ideally avoid doing this as there might be other issues left)
* Fixed issues when curl functions are disabled
* Fixed gitlab-domains/github-domains to make sure if they are overridden the default value remains present
* Fixed issues removing/upgrading packages from path repositories on Windows
* Fixed regression in 2.0.4 when handling of git@bitbucket.org URLs in vcs repositories
* Fixed issue running create-project in current directory on Windows
* Fixed `check-platform-req` command not being clear on what packages are checked, and added a --lock flag to explicitly check the locked packages
* Fixed `config`&`create-project` adding of repositories to make sure they are prepended as order is much more important in Composer 2, also added a --append flag to `config` to restore the old behavior in the unlikely case this is needed
* Fixed curl downloader failing on old PHP releases or when using self-signed SSL certificates
* Fixed regression handling `composer show -s` in projects where no version can be guessed from VCS
* Fixed regression handling partial updates/`require` when a lock file was missing
* Fixed interop issue with plugins that need to update dist URLs of packages, [see docs](https://getcomposer.org/doc/articles/plugins.md#plugin-modifies-downloads) if you need this
* Breaking: Removed `OperationInterface::getReason` as the data was not accurate
* Added automatic removal of packages which are not required anymore whenever an update is done, this will purge packages previously left over by partial updates and `require`/`remove`
* Added shorthand aliases `-w` for `--with-dependencies` and `-W` for `--with-all-dependencies` on `update`/`require`/`remove` commands
* Added `COMPOSER_DEBUG_EVENTS=1` env var support for plugin authors to figure out which events are triggered when
* Added `setCustomCacheKey` to `PreFileDownloadEvent` and fixed a cache bug for integrations changing the processed url of package archives
* Added `Composer\Util\SyncHelper` for plugin authors to deal with async Promises more easily
* Added `$composer->getLoop()->getHttpDownloader()` to get access to the main HttpDownloader instance in plugins
* Added a non-zero exit code (2) and warning to `remove` command when a package to be removed could not be removed
* Added `--apcu-autoloader-prefix` (or `--apcu-prefix` for `dump-autoload` command) flag to let people use apcu autoloading in a deterministic output way if that is needed
* Fixed version guesser to look at remote branches as well as local ones
* Added more advanced filtering to avoid loading all versions of all referenced packages when resolving dependencies, which should reduce memory usage further in some cases
* Added an `--ask` flag to `create-project` command to make Composer prompt for the install dir name, [useful for project install instructions](https://github.com/composer/composer/pull/9181)
* Added support for tar in artifact repositories
* Added a `cache-read-only` config option to make the cache usable in read only mode for containers and such
* Added better error reporting for a few more specific cases
* Added a new optional `available-package-patterns` attribute for v2-format Composer repositories, see [UPGRADE](UPGRADE-2.0.md) for details
* Breaking: Zip archives loaded by artifact repositories must now have a composer.json on top level, or a max of one folder on top level of the archive
* Added --no-dev support to `show` and `outdated` commands to skip dev requirements
* Added support for multiple --repository flags being passed into the `create-project` command, only useful in combination with `--add-repository` to persist them to composer.json
* Breaking: This is a major release and while we tried to keep things compatible for most users, you might want to have a look at the [UPGRADE](UPGRADE-2.0.md) guides
* Many CPU and memory performance improvements
* The update command is now much more deterministic as it does not take the already installed packages into account
* Package installation now performs all network operations first before doing any changes on disk, to reduce the chances of ending up with a partially updated vendor dir
* Partial updates and require/remove are now much faster as they only load the metadata required for the updated packages
* Added a [platform-check step](doc/07-runtime.md#platform-check) when vendor/autoload.php gets initialized which checks the current PHP version/extensions match what is expected and fails hard otherwise. Can be disabled with the platform-check config option
* Added a [`Composer\InstalledVersions`](doc/07-runtime.md#installed-versions) class which is autoloaded in every project and lets you check which packages/versions are present at runtime
* Added a `composer-runtime-api` virtual package which you can require (as e.g. `^2.0`) to ensure things like the InstalledVersions class above are present. It will effectively force people to use Composer 2.x to install your project
* Added support for parallel downloads of package metadata and zip files, this requires that the curl extension is present and we thus strongly recommend enabling curl
* Added support for updating to a specific version with partial updates, as well as a [--with flag](doc/03-cli.md#update--u) to pass in temporary constraint overrides
* Added `pre-operations-exec` event to be fired before the packages get installed/upgraded/removed
* Added `pre-pool-create` event to be fired before the package pool for the dependency solver is created, which lets you modify the list of packages going in
* Added --no-install flag to `update`, `require` and `remove` commands to disable the install step and only do the update step (composer.lock file update)
* Added --with-dependencies and --with-all-dependencies flag aliases to `require` and `remove` commands for consistency with `update`
* Added more info to `vendor/composer/installed.json`, a dev key stores whether dev requirements were installed, and every package now has an install-path key with its install location
* Added COMPOSER_DISABLE_NETWORK which if set makes Composer do its best to run offline. This can be useful when you have poor connectivity or to do benchmarking without network jitter
* Added --ignore-platform-req (without s) to all commands supporting --ignore-platform-reqs, which accepts a package name so you can ignore only specific platform requirements
* Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)
* Fixed version guessing to take composer-runtime-api and composer-plugin-api requirements into account to avoid selecting packages which require Composer 2
* Fixed package name validation to allow several dashes following each other
* Fixed post-status-cmd script not firing when there were no changes to be displayed
* Fixed composer-runtime-api support on Composer 1.x, the package is now present as 1.0.0
* Fixed support for composer show --name-only --self
* Fixed detection of GitLab URLs when handling authentication in some cases
* Added --1 flag to `self-update` command which can be added to automated self-update runs to make sure it won't automatically jump to 2.0 once that is released
* Fixed path repository symlinks being made relative when the repo url is defined as absolute paths
* Fixed potential issues when using "composer ..." in scripts and composer/composer was also required in the project
* Fixed 1.10.0 regression when downloading GitHub archives from non-API URLs
* Fixed handling of malformed info in fund command
* Fixed Symfony5 compatibility issues in a few commands
* Warning: Added a warning when class names are being loaded by a PSR-4 or PSR-0 rule only due to classmap optimization, but would not otherwise be autoloadable. Composer 2.0 will stop autoloading these classes so make sure you fix your autoload configs.
* Added new funding key to composer.json to describe ways your package's maintenance can be funded. This reads info from GitHub's FUNDING.yml by default so better configure it there so it shows on GitHub and Composer/Packagist
* Added `composer fund` command to show funding info of your dependencies
* Added support for --format=json output for show command when showing a single package
* Added --add-repository flag to create-project command which will persist the repo given in --repository into the composer.json of the package being installed
* Breaking: artifact repositories with URLs containing port numbers and requiring authentication now require you to configure http-basic auth for the `host:port` pair explicitly
* Deprecated support for non-standard package names (anything with uppercase, or no / in it). Make sure to follow the warnings if you see any to avoid problems in 2.0.
* Fixed some packages missing from the autoloader config when installing with --no-dev
* Fixed support for cloning GitLab repos using OAuth tokens instead of SSH keys
* Fixed metapackage installs/updates missing from output
* Fixed --with-dependencies / --with-all-dependencies not updating some packages in some edge cases
* Fixed compatibility with Symfony 4.2 deprecations
* Fixed temp dir not being cleaned up on download error while archiving packages
* Improved performance of installs and updates from git clones when checking out known commits
* Added `check-platform-reqs` command that checks that your PHP and extensions versions match the platform requirements of the installed packages
* Added `--with-all-dependencies` to the `update` and `require` commands which updates all dependencies of the listed packages, including those that are direct root requirements
* Added `scripts-descriptions` key to composer.json to customize the description and document your custom commands
* Added support for the uppercase NO_PROXY env var
* Added support for COMPOSER_DEFAULT_{AUTHOR,LICENSE,EMAIL,VENDOR} env vars to pre-populate init command values
* Added support for local fossil repositories
* Added suggestions for alternative spellings when entering packages in `init` and `require` commands and nothing can be found
* Fixed installed.json data to be sorted alphabetically by package name
* Fixed compatibility with Symfony 4.x components that Composer uses
* Added `--minor-only` to the `outdated` command to only show updates to minor versions and ignore new major versions
* Added `--apcu-autoloader` to the `update`/`install` commands and `--apcu` to `dump-autoload` to enable an APCu-caching autoloader, which can be more efficient than --classmap-authoritative if you attempt to autoload many classes that do not exist, or if you can not use authoritative classmaps for some reason
* Added summary of operations to be executed before they run, and made execution output more compact
* Added caching of git repositories if you have git 2.3+ installed. Repositories will now be cached once and then cloned from local cache so subsequent installs should be faster
* Added detection of HEAD changes to the `status` command. If you `git checkout X` in a vendor directory for example it will tell you that it is not at the version that was installed
* Added BaseCommand::isProxyCommand that can be overridden to mark a command as being a mere proxy, which helps avoid duplicate warnings etc on composer startup
* Added ability for plugins to register their own composer commands
* Optimized the autoloader initialization using static loading on PHP 5.6 and above, this reduces the load time for large classmaps to almost nothing
* Added `--latest` to `show` command to show the latest version available of your dependencies
* Added `--outdated` to `show` command an `composer outdated` alias for it, to show only packages in need of update
* Added `--direct` to `show` and `outdated` commands to show only your direct dependencies in the listing
* Added support for editing all top-level properties (name, minimum-stability, ...) as well as extra values via the `config` command
* Added abandoned state warning to the `show` and `outdated` commands when listing latest packages
* Added support for `~/` and `$HOME/` in the path repository paths
* Added support for wildcards in the `show` command package filter, e.g. `composer show seld/*`
* Added ability to call composer itself from scripts via `@composer ...`
* Added untracked files detection to the `status` command
* Added warning to `validate` command when using exact-version requires
* Added warning once per domain when accessing insecure URLs with secure-http disabled
* Added a dependency on composer/ca-bundle (extracted CA bundle management to a standalone lib)
* Added support for empty directories when archiving to tar
* Added an `init` event for plugins to react to, which occurs right after a Composer instance is fully initialized
* Added many new detections of problems in the `why-not`/`prohibits` command to figure out why something does not get installed in the expected version
* Added a deprecation notice for script event listeners that use legacy script classes
* Fixed abandoned state not showing up if you had a package installed before it was marked abandoned
* Fixed --no-dev updates creating an incomplete lock file, everything is now always resolved on update
* Fixed partial updates in case the vendor dir was not up to date with the lock file
* Break: The `install` command now turns into an `update` command automatically if you have no composer.lock. This was done only half-way before which caused inconsistencies
* Break: By default the `remove` command now removes dependencies as well, and --update-with-dependencies is deprecated. Use --no-update-with-dependencies to get old behavior
* Added support for update channels in `self-update`. All users will now update to stable builds by default. Run `self-update` with `--snapshot`, `--preview` or `--stable` to switch between update channels.
* Added support for SSL_CERT_DIR env var and openssl.capath ini value
* Added some conflict detection in `why-not` command
* Added suggestion of root package's suggests in `create-project` command
* Fixed `create-project` ignoring --ignore-platform-reqs when choosing a version of the package
* Fixed `search` command in a directory without composer.json
* Fixed path repository handling of symlinks on windows
* Fixed PEAR repo handling to prefer HTTPS mirrors over HTTP ones
* Fixed handling of Path env var on Windows, only PATH was accepted before
* Break: By default we now disable any non-secure protocols (http, git, svn). This may lead to issues if you rely on those. See `secure-http` config option.
* Added config.platform to let you specify what your target environment looks like and make sure you do not inadvertently install dependencies that would break it
* Added `exclude-from-classmap` in the autoload config that lets you ignore sub-paths of classmapped directories, or psr-0/4 directories when building optimized autoloaders
* Added `path` repository type to install/symlink packages from local paths
* Added `archive-format` and `archive-dir` config options to specify default values for the archive command
* Added --classmap-authoritative to `install`, `update`, `require`, `remove` and `dump-autoload` commands, forcing the optimized classmap to be authoritative
* Added -A / --with-dependencies to the `validate` command to allow validating all your dependencies recursively
* Added --strict to the `validate` command to treat any warning as an error that then returns a non-zero exit code
* Added a dependency on composer/semver, which is the externalized lib for all the version constraints parsing and handling
* Break: For forward compatibility, you should change your deployment scripts to run `composer install --no-dev`. The install command will install dev dependencies by default starting in the next release
* Break: The `update` command now has --dev enabled by default. --no-dev can be used to update without dev requirements, but it will create an incomplete lock file and is discouraged
